aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Merge branch 'ikev2-fragmentation'Tobias Brunner2014-10-1036-1211/+2658
|\ | | | | | | This adds support for IKEv2 fragmentation as per RFC 7383.
| * testing: Add ikev2/net2net-fragmentation scenarioTobias Brunner2014-10-109-0/+116
| |
| * testing: Update ikev1/net2net-fragmentation scenarioTobias Brunner2014-10-101-2/+2
| |
| * message: Limit maximum number of IKEv2 fragmentsTobias Brunner2014-10-101-1/+11
| | | | | | | | | | | | | | | | The maximum for IKEv1 is already 255 due to the 8-bit fragment number. With an overhead of 17 bytes (x64) per fragment and a default maximum of 10000 bytes per packet the maximum memory required is 14 kB for a fragmented message.
| * packet: Define a global default maximum size for IKE packetsTobias Brunner2014-10-105-18/+9
| |
| * message: Ensure a minimum fragment lengthTobias Brunner2014-10-101-8/+18
| |
| * ikev2: Send retransmits using the latest known addressesTobias Brunner2014-10-101-1/+3
| | | | | | | | | | | | | | For instance, if a DPD exchange is initiated by the gateway when a mobile client is roaming and it then gets a new IP address and sends an address update via MOBIKE, the DPD retransmits would still be sent to the old address and the SA would eventually get closed.
| * ikev2: Send and receive fragmented IKE messagesTobias Brunner2014-10-101-44/+169
| | | | | | | | | | If a fragmented message is retransmitted only the first packet is passed to the alert() hook.
| * ike: IKE_SA may fragment IKEv2 messagesTobias Brunner2014-10-101-1/+1
| |
| * ike: Do not cache MID of IKEv2 fragmentsTobias Brunner2014-10-101-2/+3
| | | | | | | | | | This fails if there are unencrypted payloads before an encrypted fragment payload in the first fragment.
| * message: Fragment and reassemble IKEv2 messagesTobias Brunner2014-10-102-133/+366
| |
| * message: Handle encrypted fragment payload similar to the encrypted payloadTobias Brunner2014-10-101-16/+91
| |
| * ikev2: Add encrypted fragment payloadTobias Brunner2014-10-105-12/+455
| |
| * encrypted_payload: Encrypted payload can be constructed from plaintextTobias Brunner2014-10-102-0/+38
| |
| * encrypted_payload: Expose generate() to generate the plaintextTobias Brunner2014-10-102-1/+17
| |
| * encrypted_payload: Extract some utility functionsTobias Brunner2014-10-101-74/+110
| |
| * message: Split generate() in multiple functionsTobias Brunner2014-10-101-67/+122
| |
| * ikev2: Negotiate support for IKEv2 fragmentationTobias Brunner2014-10-102-1/+24
| |
| * ikev2: Add notify for IKEv2 fragmentationTobias Brunner2014-10-102-7/+15
| |
| * ikev1: Move defragmentation to message_tTobias Brunner2014-10-103-169/+240
| |
| * ike: Move fragmentation to ike_sa_tTobias Brunner2014-10-103-62/+94
| | | | | | | | | | | | | | | | | | The message() hook on bus_t is now called exactly once before (plain) and once after fragmenting (!plain), not twice for the complete message and again for each individual fragment, as was the case in earlier iterations. For inbound messages the hook is called once for each fragment (!plain) and twice for the reassembled message.
| * message: fragment() generates message and fragments and caches themTobias Brunner2014-10-103-58/+109
| |
| * message: Make packet argument optional in generate()Tobias Brunner2014-10-101-1/+4
| |
| * ikev1: Move fragment generation to message_tTobias Brunner2014-10-105-139/+251
| |
| * ike: Rename encryption_payload to encrypted_payloadTobias Brunner2014-10-1010-102/+98
|/
* ipsec: Remove unsupported listcards and rereadgroups commandsTobias Brunner2014-10-081-10/+0
|
* ipsec: Document missing commandsTobias Brunner2014-10-081-1/+11
|
* ipsec: Update usage outputTobias Brunner2014-10-081-18/+17
|
* ipsec: Remove duplicate check for internal commandsTobias Brunner2014-10-081-4/+0
|
* ipsec: Only set PATH if it is not already setTobias Brunner2014-10-081-1/+1
| | | | | | | | | | The comment indicated this but it was always set anyway. All internal commands are called via their absolute paths, so the script only uses PATH for the uname command, but if that is not located in one of the configured directories the script will fail. Also, since the internal commands are called via their absolute paths there is no need to add the directories to PATH.
* ikev1: Fix handling of UNITY_LOAD_BALANCETobias Brunner2014-10-071-3/+3
| | | | | The re-authentication is now handled within the original IKE_SA if it has not yet been established, so we don't want to destroy it.
* ikev1: Don't queue more than one mode config or XAuth taskTobias Brunner2014-10-071-7/+22
| | | | | | | | At the time we reset an IKE_SA (e.g. when re-authenticating a not yet established SA due to a roaming event) such tasks might already be queued by one of the phase 1 tasks. If the SA is initiated again another task will get queued by the phase 1 task. This results in e.g. multiple mode config requests, which most gateways will have problems with.
* testing: Don't check for the actual number of SWID tags in PDP scenariosTobias Brunner2014-10-072-8/+8
| | | | | The number of SWID tags varies depending on the base image, but lets assume the number is in the hundreds.
* testing: Make TNC scenarios agnostic to the actual Debian versionTobias Brunner2014-10-0718-45/+52
| | | | | The scenarios will work with new or old base images as long as the version in use is included as product in the master data (src/libimcv/imv/data.sql).
* testing: Make TKM related build recipes future-proofTobias Brunner2014-10-076-24/+36
| | | | | | | | The tkm scenarios recently failed due to a segmentation fault on my host because I had an old build of the tkm library already built in the build directory. Because the stamp file was not versioned the new release was never checked out or built and charon-tkm was linked against the old version causing a segmentation fault during key derivation.
* version bump to 5.2.1rc1Andreas Steffen2014-10-061-1/+1
|
* Merge branch 'ext-auth'5.2.1dr1Martin Willi2014-10-0618-249/+1644
|\ | | | | | | | | | | Integrates the ext-auth plugin by Vyronas Tsingaras. The new child process abstraction simplifies implementation in both the new ext-auth and the existing updown plugin, and makes them available on the Windows platform.
| * NEWS: Mention new ext-auth pluginMartin Willi2014-10-061-0/+3
| |
| * ext-auth: Add an ext-auth plugin invoking an external authorization scriptMartin Willi2014-10-069-0/+512
| | | | | | | | Original patch courtesy of Vyronas Tsingaras.
| * updown: Use process abstraction to invoke updown scriptMartin Willi2014-10-061-246/+215
| |
| * process: Add a wrapper to invoke a command under the system default shellMartin Willi2014-10-063-0/+110
| |
| * process: Port child process spawning to the Windows platformMartin Willi2014-10-062-1/+315
| |
| * process: Provide an abstraction to spawn child processes with redirected I/OMartin Willi2014-10-067-3/+490
|/
* testing: Updated certificates and keys in sql scenariosAndreas Steffen2014-10-0635-121/+121
|
* Added IF-M Segmentation support to NEWSAndreas Steffen2014-10-051-0/+5
|
* Incremental parsing fixesAndreas Steffen2014-10-052-14/+9
|
* Updated revoked certificate in ikev2/ocsp-revoked scenarioAndreas Steffen2014-10-052-42/+42
|
* The critical-extension scenarios need the old private keysAndreas Steffen2014-10-054-0/+108
|
* Added add_segment() method to TCG/PTS attributesAndreas Steffen2014-10-0518-26/+157
|
* Added add_segment() method to TCG/SEG attributesAndreas Steffen2014-10-053-25/+49
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 07:15:53 +0000